20111214 iisf shinoda_

Indonesia Information Security Forum (IISF) 2011
14 – 15 Dec. 2011

Global Information Security Threats Trend 2011

Dr. Yoichi SHINODA

Advisor on Information Security
National Information Security Center (NISC)
Cabinet Secretariat, Government of Japan

Professor
Dependable Network Innovation Center
Japan Advanced Institute of Science and Technology

The Outline

1.  Followups & Updates

2.  Changes In The Long Term Threat Trend

3.  Change of Game

4. Concluding Remarks

π

Copyright (c) 2011 National Information Security Center (NISC). All Rights Reserved.
1

1. Updates

2

“Update 2010” summaries and followups (1)

l  Drive-by Download & Gumblar
l  Introduced a new class of attack model: Web-PC integrated infection
cycle.
l  Requires integrated approach on both PCs and servers for measures.

l  Stuxnet and Its Impact
l  It targets at FA systems, has potential to damage critical
infrastructure.
l  It penetrates and spreads into so called “closed, physically isolated,
dedicated systems” ( --> False belief about secureness).
l  New malware utilizing Stuxnet modules are now emerging.

3

“Update 2010” summaries and followups (2)

l  Route Hi-Jacking
l  Large incidents are not reported for 2011; small incidents are daily.

l  Good Old DoS
l  Still a very popular and handy tool for expressing an one’s or group’s
intention.
l  Mitigation technology is available in a limited manner.

4

2011 Updates (1)

l  Hactivists became conspicuous.
l  Frequent activities by hactivists (loose community of hacker activists),
e.g., “Anonymous” and “Lulzsec” were observed.
l  The activities were triggered by impulsive events, often put large
organizations such as national governments and global enterprises
into jeopardy.

l  Cyber Space now widely (and officially for some counties)
recognized as a field of confrontation, in many aspects.
l  Existence of APT (Advanced Persistent Threat) became clear.

l  Malwares targeting smart phones is showing rapid growth.
l  Trend Micro Oct. 2011 report (+200% growth Sep. to Oct.)

5

2011 Updates (2)

l  More and more “previously believed-to-be-secure” things now
became (potential) threat vectors:
l  Security tokens:
l  A security token vendor has disclosed that some of the internal
information was stolen.
l  Certificate Authorities and certificates:
l  A certificate authority was compromised, and was forced to issue
forged certificates, resulting in possible vulnerabilities in multiple
major global portal sites.
l  E-mails from business partners (or look a likes)
l  E-mails forged to look like they are legitimate, in terms of sender
address, subject, attachment names and body text, now may
contain fatal attack vectors.

6

2. Changes in The Long Term Trend

7

A Taxonomy of Information Security Threat
Threats from the attack vector perspective
A)  Network Layer Attack
B)  Web Application Layer Attack
C)  Malware Infection
D)  Abuse of Client Side Application
E)  Social Engineering
Abuse of Client Side App.

Network Layer Attack

Web App. Layer Attack Hackers

Malware Infection
Social Engineering

8

Changes In The Attack Model
n Around 2000, Network layer attack was very common and many incident

n  2010~ : Combined to form sophisticated attacks.
of network layer attack were reported.
Ø Most major companies in Japan have firewalls on the front of their
system now.

1st Change of Attack model

n Around 2005, Many web application layer attacks were reported.
(Massive SQL Injection)
Ø Many web site owner checked the security holes of their web
application and fixed them.
Ø However, There are still security holes in their web application
today.

2nd Change of Attack model

n In 2009, Web-based Malware became widespread.
Ø Even If the defense of network layer and web application layer are in
place, the risk of this attack still remains.
Ø The defense should be in place not only on the server-side, but also
on the client-side. And this fact makes it difficult to fix this problem.
9

Changes In The Target Area
In 2009, The attack target area is getting larger in spite of the fact that
other area is not covered adequately.
We need to choose the cost-effective security measures.
Intranet System
Internet System

Attack target area in 2000
FTP
VPN

Remote Access
10

Did Network Attacks Become A History?

l  Question: With raise of Web-based attacks, common installation of
firewalls, and users shifting to newer operating systems, did network
attack become a history?

l  Answer: No.
l  New vulnerabilities in wide range of software and systems are still
reported everyday.
l  Network attack is still very active according to network monitors (such as
nicter by NICT).
l  Presence of the comprehensive bot networks amplifies effect of newly
found vulnerabilities (e.g.: Welch, Conficker, …)
l  Vulnerabilities are utilized for intranet network attacks.

l  Likewise, Web-Application Layer attacks (e.g. SQL injections and XSS
attacks) are still very common.

11

Web Applications are inherently vulnerable?

Web applications are inherently vulnerable to attacks:
l  Distributed Nature
l  Unlike the traditional applications, web applications inherently deals with
distributed components and services; even secure components and services
become unsecure when they depend on unsecure remote components and
services.
l  Web programming facilities are often introduced with functionality (aka
“richer user experience”) as the ﬁrst priority; security considerations are often
very weak.
l  The WASC (Web Application Security Consortium) has identiﬁed 34 different
classes of web application attacks and 15 different classes of weaknesses of
web applications that can be attacked.

l  Market Pressure
l  Most web applications have severe TTM (Time to The Market) schedule.
l  Most web applications are believed to be “lighter” than traditional hard
coded applications, thus can be made “cheaper”.
l  Most web applications are required to “be fancy”, not “be secure”.
12

Rise of the APTs

Advanced Persistent Threat (APT) usually refers to a group with both the
capability and intent to persistently and effectively target a specific entity.
l  Advanced
l  Operators of APTs have a full spectrum of intelligence-gathering capabilities,
including computer intrusion technologies and conventional technologies such as
wire-tapping.
l  Often combine multiple targeting methods to produce more sophisticated
methods to gain and maintain access to the target.

l  Persistent
l  Operators give priority to a specific task, rather than the opportunistically seeking
gains.
l  Targets are constantly monitored, often by “low-and-slow” approach.
l  Operator’s goal is to maintain long-term access to the target.

l  Threat
l  APTs are a threat because they have both capability and intent.
l  The operators have a specific objective and are skilled, organized, and often well
funded.

13

3. Change of Game

14

Awareness Rising

Awareness rising plays one of the central role in possible measures.
l  Awareness rising in different sectors
l  Government
l  Private industries and enterprises, and supply chains
l  General Public

l  Awareness rising has direct and indirect effects
l  Prevent direct damages; large portion of sophisticated attacks are
triggered by icareless or ignorant operations.
l  Incubate a common sense among people and industries, in
investments into security aspects of ICT systems.

15

From R&D perspective

NITRD CSIA IWG "Cybersecurity Game-Change / Research and
Development Recommendations” (May 2010)
l  Recognition of the current state of the game
l  The cost of attack is asymmetric, and favors the attacker.
l  The cost of simultaneously satisfying all the cyber security requirement of an
ideal system is prohibitive.
l  The lack of meaningful metrics and economically sound decision making in
security results in a misallocation of resources.

l  Proposed way of changing the game
l  Make cyber assets a moving target.
l  Create a trustworthy cyberspace (subspace) model.
l  Create a framework of economic incentives to reward secure practices and
discourage bad actors.

16

Synergy makes 1 + 1 > 2

l  Most measures comes in singular manner. If resources to
implement the measures are used in a synergetic manner, it
may change the course of the game.
Outcomes:
Corporation (use of malware workbench)
- Practical measures
- Awareness rising

MEXT
IPSJ (Information
MIC
METI
Processing Society
of Japan)

IT-Keys organization
NICT
Cyber
(Human
resource MWS (Anti- Clean IPA
development Malware
Engineering malware info. Center
program)
Workshop) (benchmark corporation
participation
data)
ISPs
ISPs
Students
ISPs
Researchers ISPs
ISPs
end user
ISPs
ISPs
ISPs
ISPs
Students outreach
ISPs
Outcomes: Customers
ISPs
Customers
ISPs
- Human resources ISPs
ISPs
ISPs
ISPs
- New technologies
17

Concluding Remarks

18

Malware Infection Rates by Countries/Regions
Infec&on
rate
in
ASEAN
region
was
rela&vely
low
in
1Q-‐2Q2011.

1Q-2Q2010

Rates by Microsoft CCM, per 1,000 PCs. Microsoft Security Intelligence Report Volume 9
19

Malware Infection Rates by Countries/Regions
Infec&on
rate
in
ASEAN
region
is
increasing

(despite
the
color
scale/scheme
change).

1Q2011

2Q2011

Rates by Microsoft CCM, per 1,000 PCs. Source: Microsoft Security Intelligence Report Volume 11
20

We can change, we must change

l  Goals
l  Prevent economic and other damages to people, companies, countries and the
region.
l  Provide safe and secure investment environment to promote further growth of
individual countries and the region.

l  Current situation
l  Attack model is evolving quickly.
l  End users are becoming more connected to the rest of the world every day.
l  Rise of the APTs and parties behind them.

l  Required actions
l  Recognize the current state, identify problems.
l  Establish measures in the government. Guide private sectors to do the same.
l  Awareness raising in government and public sectors.
l  Proper investments into proper programs.
l  Don’t panic, but start your action, go on to the next step.

21

22

20111214 iisf shinoda_

More Related Content

What's hot

Viewers also liked

Similar to 20111214 iisf shinoda_

More from Directorate of Information Security | Ditjen Aptika

Recently uploaded

20111214 iisf shinoda_